If your company is a service organization that provides a form of outsourced services to other business entities (user entities), you have likely heard of SOC reports. Many of you have also likely been asked to provide a copy of your SOC report as part of a proposal or other due diligence work.
Despite the increased prevalence of these reports, there are many still wondering what a SOC report is and whether they should undergo a SOC examination.
A SOC Report details relevant aspects of a system of internal controls related to outsourced services provided by a service organization. These reports are intended to provide user entities with the information needed to assess the risks associated with utilizing outsourced services. Included in the report is a description of the system of internal controls, which is prepared by the service organization itself.
An independent auditor then reviews the description and evaluates the design of controls in place, tests whether key controls were operating effectively (in Type 2 reports only, see below), and provides an opinion on the overall system of internal controls as they relate to the outsourced services covered by the scope of the report.
There are two primary types of SOC reports available for service organizations, each of which is designed to meet different needs of their user entities:
SOC 1
Focuses on the service organization’s internal controls as they relate to financial reporting at the user entity.
SOC 2
Intended to meet the needs of a broad range of users that need to understand internal controls at a service organization as it relates to operational controls over security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems.
Both SOC 1 and SOC 2 reports may be presented as either a Type 1 or Type 2 report.
Type 1
This report is as of a point in time and only evaluates whether the system of controls was suitably designed.
Type 2
This report also evaluates the suitability of design, but further evaluates whether the controls were operating effectively over a specified period of time. Type 2 reports are far more common and are generally what user entities are looking for.
While the primary reports are SOC 1 and SOC 2, there are several less common reports as well.
While the primary aim of a SOC report is to provide valuable information to user entities related to the service organization’s system of controls, a properly executed SOC examination will also provide significant value to the service organization itself.
Throughout the course of preparing for and completing the examination, management will need to review and assess their design of internal controls. During the process, auditors can assist management in finding opportunities to improve both the effectiveness and efficiency of company policies and procedures as they relate to the system of internal controls.
If it is determined that your organization would benefit from a SOC examination, it is highly recommended that you work with your auditor to perform a readiness assessment prior to the full SOC examination.
A readiness assessment will allow your auditors to review and evaluate your system of internal controls and provide feedback including recommendations for areas that need improvement without having to detail results in a report. This will give your organization the ability to address any deficiencies and increase the likelihood of a clean auditor’s opinion in your first SOC report.
Despite the fact that SOC reports are a valuable tool for both service organizations and user entities, they are not appropriate for all organizations. Even if a customer or potential customer is requesting your organization’s SOC report, that does not necessarily mean that a SOC engagement is the appropriate course of action.
Your accountant is your best resource to assist in determining whether or not a SOC report is right for your organization.